Network addresses for WithSecure on-premise products

UPDATE 2026-01-12: The list of network addresses has been updated to reflect the current requirements

UPDATE 2024-09-06: Added a note to highlight that product functionality can be affected if access to these network addresses is not allowed

UPDATE 2024-01-25: Updated references to aspam.sp.f-secure.com

For many customers, WithSecure products will function correctly without needing to know which servers the products connect to.

However, some administrators tightly control which network addresses they allow their clients to connect to (“Egress control” or “outbound connections”), and it is mandatory that they allow connections to the following addresses. WithSecure cannot guarantee the functionality of the products if access to these addresses is blocked.

The product may not function correctly if access to these network addresses is not allowed.

In addition, WithSecure Linux Security 64 and WithSecure Atlant can use an offline mode, which can help in isolated environments. Please note that this will limit some functionality. Please check the user guides for more information

Please note that all the following require outbound connections to TCP/443 unless otherwise stated.

Additionally, any products listed in this document also includes F-Secure branded versions of the same products.

Recommendations

WithSecure recommends, where possible, that administrators allow outbound access to all address under the withsecure.com and fsapi.com domains. We do appreciate that this is not always possible due to firewall configuration limitations, or even from an operational perspective, so we are publishing an explicit list of server addresses.

Please note that we do not guarantee this list of addresses is complete or will stay unchanged, so we strongly recommend bookmarking these articles for future reference. We will update these articles whenever needed.

WithSecure Business Suite

Business Suite includes:

WithSecure Policy Manager (Windows & Linux)
WithSecure Policy Manager Proxy (Windows & Linux)
WithSecure Client Security (including Premium, Mac)
WithSecure Server Security (including Premium)
WithSecure Linux Security 64

For environments that only connect to the internet via the Policy Manager, it is enough to ensure that the Policy Manager (or Policy Manager Proxy) can reach these services.

Business Suite 16 onwards

corp-reg.fsapi.com

This server is used by Policy Manager for license registration. Blocking this server will prevent license validation.

guts2.fsapi.com (also TCP/80)

This server is used to deliver updates for scanning engines and detection rules, and for some products updates to the software itself. Blocking this server will completely stop security updates.

a.karma.sc2.fsapi.com

restmc.mind.sc2.fsapi.com

mind-failover.sc2.fsapi.com

api.doorman.fsapi.com

Backend services needed for Security Cloud functionality

api.prd.glb.us-prd.fsapi.com

Used to control updates for Linux Security 64

download.fsapi.com

Used for the hotfix update mechanism for Linux Security 64

WithSecure Email and Server Security

While WithSecure Email and Server Security is not part of Business Suite, the network addresses needed are the same as for Business Suite, with the addition of an extra address

ESS version 16 onwards

aspam.fsapi.com

Used to check email content for Spam in the ESS product.

WithSecure Atlant

Versions 1.0.319 onwards